Arizona Security Leader: Identifying the Threat Is Essential to Meeting It

As cybersecurity has evolved, the conversation has moved away from attacking threats to how to address them methodically — even tactically.

As protecting government networks and IT assets becomes more and more important, officials in the public sector are increasingly looking to new tools to help them better identify the risks. This was the theme of a May 8 webinar hosted by Arizona Chief Information Security Officer (CISO) Mike Lettman and cybersecurity vendor RiskSense.

During the roughly hour-long session, Lettman illustrated the importance of better mapping the threat environment and the state’s efforts to move more tactically when it comes to meeting those threats.

Whereas Lettman and the some 125 agencies that operate within the state’s boundaries might have once patched and sampled to pinpoint vulnerabilities, new tools are helping to not only paint a more detailed image of the state’s risk, but also are helping to prioritize it through a feature-rich dashboard.

“We have gaps in security at every agency and I’m sure that most states around the country have the exact same situation,” he said during the session. “We had inefficiencies in security in the form of duplication in every agency.”

After looking to some of the recent incidents in states like Utah, Montana and South Carolina, the CISO said the need to better coordinate and respond to threats throughout the jurisdiction was never more obvious.

A high-level review of Arizona's IT footprint would reveal what he called “appalling” security gaps and system redundancies. Addressing these redundancies would ultimately open the door to considerable cost savings.

“Once we gained visibility into agency risk we realized that we had some gaps we had to fill and we had some issues we had to resolve,” he said.

And securing the state’s IT assets has never been more imperative — especially when held against the cybersecurity intelligence metrics. On any given day, the state launches 15 investigations; sees 3,000 Trojan attempts and 50 structured query language (SQL) injections; and receives as many as 100,000 spam emails.

To meet the challenge, Lettman said the state had to establish enterprise-level controls and set the common benchmarks throughout the jurisdiction. One challenge facing the state was adequate talent in the cybersecurity space.

“We had an issue of lack of knowledge and cyber-resources in all the agencies. Security people are tough to compete for from a government entity in the market," he said. "We’re lucky to have a dozen of them, much less a bunch in every agency.”

By leveraging the dashboard, personnel were better able to see and address existing and developing issues across the state.

Where RiskSense CEO Dr. Srinivas Mukkamala said his platform has helped the Arizona cybersecurity efforts most was in providing visibility and priority to the various threats. Rather than simply relying on a scanners and other common diagnostic strategies, the RiskSense dashboard allows users to visualize the risk and where it stands on the risk spectrum.

“We started looking at how do we break it down into a very simple understanding into what are we doing today from a diagnostic perspective,” Mukkamala explained. “Before too long you can see that there is a lot of data to be looked at and a lot of information that needs to be analyzed.”

Not unlike a consumer credit score, the platform generates a number based on the existing risks and how quickly they are mitigated.

Once data is gathered and visualized, Mukkamala said cybersecurity staff needs to understand it, prioritize it, validate it and provide feedback in a repeatable and consistent way. The RiskSense dashboard helps to automate portions of this process into a consolidated view.

“Then ultimately the … goal is once I gain visibility, to reduce the risks,” he said.

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.